ci: harden workflow + add security scanning and format gates
Some checks failed
CI / storybook-a11y (push) Successful in 4m3s
CI / backend (push) Successful in 1m1s
CI / codeql (csharp) (push) Failing after 39m18s
CI / codeql (javascript-typescript) (push) Failing after 1m22s
CI / frontend (push) Successful in 1m25s
CI / api-client-drift (push) Successful in 1m34s

- permissions: contents:read (least privilege), concurrency cancel,
  scope push to main+tags (was: every branch, double-running with PRs),
  per-job timeout-minutes.
- security: npm audit --omit=dev, CodeQL SAST (TS + C#), Dependabot
  (npm/nuget/actions).
- format: npm run format:check + dotnet format --verify-no-changes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-03 13:39:31 +02:00
parent 1137f59f7b
commit bf920696ac
3 changed files with 62 additions and 0 deletions

17
.github/dependabot.yml vendored Normal file
View File

@@ -0,0 +1,17 @@
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 10
- package-ecosystem: nuget
directory: /backend
schedule:
interval: weekly
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly

View File

@@ -2,11 +2,23 @@ name: CI
on: on:
push: push:
branches: [main]
tags: ['v*']
pull_request: pull_request:
# Least privilege by default; the CodeQL job widens its own scope locally.
permissions:
contents: read
# A newer push to the same ref cancels the in-flight run.
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs: jobs:
frontend: frontend:
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 15
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
@@ -15,13 +27,17 @@ jobs:
cache: npm cache: npm
- run: npm ci - run: npm ci
- run: npm run lint - run: npm run lint
- run: npm run format:check
- run: npm run check:tokens - run: npm run check:tokens
- run: npm test - run: npm test
- run: npm run build - run: npm run build
# The shipped bundle must stay clean; dev-only advisories are excluded.
- run: npm audit --omit=dev
storybook-a11y: storybook-a11y:
# Axe runs against every story in the static build; a violation fails the build. # Axe runs against every story in the static build; a violation fails the build.
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 15
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
@@ -35,16 +51,43 @@ jobs:
backend: backend:
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 15
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4 - uses: actions/setup-dotnet@v4
with: with:
dotnet-version: 10.0.x dotnet-version: 10.0.x
- run: dotnet format backend/BigRegister.slnx --verify-no-changes
- run: dotnet test backend/BigRegister.slnx - run: dotnet test backend/BigRegister.slnx
codeql:
# Static analysis (SAST) for both sides; results appear under the Security tab.
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
security-events: write
contents: read
actions: read
strategy:
fail-fast: false
matrix:
language: [javascript-typescript, csharp]
steps:
- uses: actions/checkout@v4
- if: matrix.language == 'csharp'
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.x
- uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- uses: github/codeql-action/autobuild@v3
- uses: github/codeql-action/analyze@v3
api-client-drift: api-client-drift:
# The committed typed client must match the backend OpenAPI doc. # The committed typed client must match the backend OpenAPI doc.
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 15
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4

View File

@@ -4,6 +4,8 @@
"scripts": { "scripts": {
"ng": "ng", "ng": "ng",
"lint": "eslint .", "lint": "eslint .",
"format:check": "prettier --check .",
"format": "prettier --write .",
"start": "ng serve --proxy-config proxy.conf.json", "start": "ng serve --proxy-config proxy.conf.json",
"gen:api": "cd backend && dotnet tool restore && dotnet build src/BigRegister.Api -v q && dotnet swagger tofile --output swagger.json src/BigRegister.Api/bin/Debug/net10.0/BigRegister.Api.dll v1 && cd .. && nswag run nswag.json", "gen:api": "cd backend && dotnet tool restore && dotnet build src/BigRegister.Api -v q && dotnet swagger tofile --output swagger.json src/BigRegister.Api/bin/Debug/net10.0/BigRegister.Api.dll v1 && cd .. && nswag run nswag.json",
"build": "ng build", "build": "ng build",